Recent updates to the Meraki firewall line of hardware made it possible to use their hardware to automatically fail over to a VPN tunnel in the case of an MPLS failure.  They accomplish this by checking MPLS routes periodically either by pinging the default gateway, or better yet, a host on the remote network.  In the case that a series of pings are lost, the firewall will fail over to a VPN tunnel that waits in standby mode.  These tunnels are automatically created in the Meraki cloud between any or all connected firewalls in the company’s network.  Here is a view of the routes and their current statuses:


When the firewall fails to get replies from the remote host, it makes the assumption that the route is no longer valid and will fail to the VPN.  It is obviously important that the host you ping on the remote side is something that is stable and will reply to pings consistently to avoid failing over unnecessarily.   When the route once again becomes available, the firewall will revert to the MPLS circuit to get to the destination.

All in all, this is a good solution for those running on an MPLS network.  If using all Meraki firewalls at your sites, the setup is simple and straightforward.  I was able to implement this solution within two hours and this entailed some other route changes in the LAN.

Tagged with →